Most malicious software such as computer viruses, Trojan horses, and Internet worms spread around the globe through ubiquitous networks. A computer virus can cause a global epidemic in a matter of hours due to inter-continental connections of machines, thus causing costly and sometimes irreversible damage. For example, in May 2000, the Love Bug virus caused more than 10 billion dollars in damages worldwide. Spyware, even though it may not maliciously cause damage to a computer system, represents software that is usually hidden from a user who is unaware of its function, for example, to report user activity for advertising purposes. A spyware program is similar to a Trojan horse and is considered malicious software, in the context considered here, since it may send key entry information containing passwords and credit card numbers, and it is desirable to detect and prevent such operations.
The term virus is used broadly herein to reference malware, including specific forms of viruses, Trojan horses, spyware, and internet worms. Current Anti-virus (AV) techniques are typically software based and have major weaknesses in combating the spread of malicious software. One of these weaknesses is that anti-virus software looks for viruses after the viruses have already entered a computer system. Another weakness of current AV solutions is that AV programs cannot be run all the time because they consume a significant amount of computing resources. Consequently, there is a high likelihood that a malicious software program has run multiple times before the anti-virus software has been run. With increasing sophistication, malicious software programs are applying techniques to hide from or in some fashion deal with AV software, thereby making their detection and removal even more difficult.
Other problems with current AV solutions are that the virus search procedures are long and AV processing time may vary each time a search is done due to file system changes. The virus search procedures are in part lengthy due to requiring a significant number of disk accesses. Also, virus search procedures are typically based on a search string or a checksum calculation depending upon the file size being checked. Such search procedure operations are time consuming and compute resource intensive. Consequently, there is a need for an efficient virus detection system that operates to protect a system from being infected.